{"id":19808,"date":"2022-08-10T03:21:26","date_gmt":"2022-08-10T11:21:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/08\/10\/news-13541\/"},"modified":"2022-08-10T03:21:26","modified_gmt":"2022-08-10T11:21:26","slug":"news-13541","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/08\/10\/news-13541\/","title":{"rendered":"Lockbit, Hive, and BlackCat attack automotive supplier in triple ransomware attack"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 10 Aug 2022 11:00:50 +0000<\/strong><\/p>\n

\n

In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration \u2013 a firewall rule exposing Remote Desktop Protocol (RDP) on a management server \u2013 but used different ransomware strains and tactics.<\/p>\n

The first ransomware group, identified as Lockbit<\/a>, exfiltrated data to the Mega<\/a> cloud storage service, used Mimikatz<\/a> to extract passwords, and distributed their ransomware binary using PsExec<\/a>.<\/p>\n

The second group, identified as Hive, used RDP to move laterally, before dropping their ransomware just two hours after the Lockbit threat actor.<\/p>\n

As the victim restored data from backups, an ALPHV\/BlackCat<\/a> affiliate accessed the network, installed Atera Agent<\/a> (a legitimate remote access tool) to establish persistence, and exfiltrated data. Two weeks after the Lockbit and Hive attacks, the threat actor distributed their ransomware, and cleared Windows Event Logs. Sophos\u2019 Rapid Response (RR) team investigated, and found several files which had been encrypted multiple times \u2013 as many as five in some instances.\"A<\/a><\/p>\n

Figure 1: Files which had been encrypted five times \u2013 twice each by Lockbit and Hive, and once by ALPHV\/BlackCat<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 2: The multi-attacker timeline discovered by Sophos X-Ops<\/em><\/p>\n

We\u2019ve covered several dual ransomware attacks<\/a> before \u2013 and recently investigated the phenomenon of multiple attacks more generally<\/a>, as it\u2019s something which appears to be increasingly common<\/a> \u2013 but this is the first incident we\u2019ve seen where three separate ransomware actors used the same point of entry to attack a single organization.<\/p>\n

Locks, bees, and cats: The perfect storm<\/h3>\n

\"Profiles<\/a><\/p>\n

Figure 3: A brief overview of the three ransomware groups that consecutively attacked one organization<\/em><\/p>\n

While the attacks took place in May, we discovered that a threat actor established an RDP session on the organization\u2019s domain controller, way back in December 2021. This might have been an initial access broker (IAB) \u2013 an attacker who finds vulnerable systems and sells access to them on criminal marketplaces \u2013 or an early scouting mission by one of the three threat actors.<\/p>\n

Either way, in mid-April 2022, a Lockbit affiliate gained RDP access to the organization\u2019s corporate environment through an exposed management server.<\/p>\n

Next, the threat actor moved laterally to a domain controller and other hosts, and began exfiltrating data to the Mega cloud storage service, as well as executing two PowerShell scripts: sharefinder.ps1<\/strong> (to gather information about connected domain network shares) and invoke-mimikatz.ps1<\/strong> (to extract passwords from LSASS, the Local Security Authority Subsystem Service).<\/p>\n

On May 1st, the Lockbit affiliate created two batch scripts (1.bat<\/strong> and 2.bat<\/strong>) to distribute the ransomware binaries LockBit_AF51C0A7004B80EA.exe<\/strong> and Locker.exe<\/strong> across the network, via PsExec.<\/p>\n

\"A<\/a>Figure 4: 1.bat script<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 5: 2.bat script<\/em><\/p>\n

Upon execution, the ransomware encrypted files on nineteen hosts and dropped ransom notes entitled Restore-My-Files.txt<\/strong>.<\/p>\n

\"A<\/a><\/p>\n

Figure 6: The Lockbit ransom note<\/em><\/p>\n

Two hours later, while the Lockbit threat actor was still encrypting files, a Hive ransomware affiliate gained access to the network via the same exposed RDP server and used RDP to move laterally to other hosts.<\/p>\n

Hive used legitimate software (PDQ Deploy<\/strong>) already installed on the network to distribute its ransomware binary windows_x32_encrypt.exe<\/strong>. This tactic, known as \u2018living off the land\u2019<\/a>, is popular among threat actors – particularly ransomware actors – as it has a small footprint and is less likely to be detected than downloading malicious tools.<\/p>\n

Hive\u2019s ransomware binary encrypted files on sixteen hosts and dropped a further ransom note, HOW_TO_DECRYPT.txt<\/strong>, on impacted devices.<\/p>\n

\"A<\/a><\/p>\n

Figure 7: The Hive ransom note<\/em><\/p>\n

At this point, the organization\u2019s IT team restored most of the infected systems to April 30, the day before the Lockbit threat actor began to encrypt files. From an investigative perspective, this meant some crucial evidence was lost. But the attacks were not over yet.<\/p>\n

Only a day after that system restore, an ALPHV\/BlackCat affiliate arrived, making RDP connections to domain controllers, file servers, application servers, and other hosts – all from the same management server exploited by Lockbit and Hive.<\/p>\n

The ALPHV\/BlackCat threat actor exfiltrated data to Mega over the course of a week, and established persistence by installing a backdoor: a legitimate remote access tool named Atera Agent<\/strong>. On May 15th \u2013 two weeks after the Lockbit and Hive attacks \u2013 the ALPHV\/BlackCat affiliate used the credentials of a compromised user to drop ransomware binaries fXXX.exe<\/strong> and fXXXX.exe<\/strong> on six hosts, leaving a ransom note titled RECOVER-eprzzxl-FILES.txt<\/strong> in every folder.<\/p>\n

\"A<\/a><\/p>\n

Figure 8: The ALPHV\/BlackCat ransom note<\/em><\/p>\n

Based on analysis from SophosLabs researchers, these binaries not only encrypted files but also deleted volume shadow copies and Windows Event logs. This further complicated our subsequent investigation, as the ALPHV\/BlackCat actor erased not only logs relating to their attack, but also those relating to the attacks by Lockbit and Hive.<\/p>\n

It’s not clear why Lockbit and ALPHV\/BlackCat deployed two ransomware binaries, but one possible reason is fault tolerance: If one executable is detected or blocked, or fails to encrypt, the second might act as a back-up.<\/p>\n

Key features of the BlackCat ransomware binaries<\/h3>\n

The two BlackCat ransomware binaries, fXXX.exe<\/strong> and fXXXX.exe<\/strong>, have the following functionality:<\/p>\n